Strongly secure certificateless short signatures - Semantic Scholar

The Journal of Systems and Software 85 (2012) 1409–1417

Contents lists available at SciVerse ScienceDirect

The Journal of Systems and Software journal homepage: www.elsevier.com/locate/jss

Strongly secure certificateless short signatures Raylin Tso a,∗ , Xinyi Huang b , Willy Susilo c a

Computer Science Department, National Chengchi University, Wenshan, Taipei 11605, Taiwan School of Mathematics and Computer Science, Fujian Normal University, China c Centre for Computer and Information Security Research, School of Computer Science and Software Engineering, University of Wollongong, Australia b

a r t i c l e

i n f o

Article history: Received 3 May 2011 Received in revised form 4 October 2011 Accepted 5 January 2012 Available online 30 January 2012 Keywords: Bilinear pairing Certificateless signature Random oracle Short signature Strongly secure

a b s t r a c t Short certificateless signatures have come into limelight in recent years. On the one hand, the property of certificateless eliminates the certificate management problem in traditional PKI and the key-escrow problem in some ID-based signature schemes. On the other hand, due to the short signature length, short certificateless signatures can be applied to systems where signatures are typed in by human or systems with low-bandwidth channels and/or low-computation power, such as PDAs or cell phones. However, there has been a trade-off between short certificateless signature schemes and their security levels. All existing short certificateless signature schemes can only be proven secure against a normal type adversary rather than a stronger one, who can obtain valid certificateless signatures under public keys replaced by the adversary. In this paper, we solve this open problem by given an efficient strongly secure short certificateless signature scheme. The proposed scheme has the following features. Firstly, it is strongly unforgeable. Secondly, the security can be reduced to the Computational Diffie–Hellman (CDH) assumption – a classic complexity assumption. Lastly, the proposed scheme is provably secure against adversaries with access to a super signing oracle which generates valid certificateless signatures of messages and public keys chosen by the adversary (without providing the corresponding secret values). © 2012 Elsevier Inc. All rights reserved.

1. Introduction In traditional public key cryptography (PKC), the authentication of a user’s public key before using the key is necessary. It ensures that the public key has not been tampered with or replaced by a malicious third party. In serving this goal, the general approach is to use Public Key Infrastructure (PKI) in which a trusted authority, called Certification Authority (CA), issues certificates to bind users and their public keys. However, the certificate management in traditional PKI (e.g., certificate revocation, storage, distribution and verification) is generally considered to be costly to use and manage. Identity-based (ID-based) cryptography, which was first introduced by Shamir in 1984, is introduced to overcome the aforementioned problem. In an ID-based cryptosystem, users can use their unique identifiers (e.g., names or e-mail addresses) as their public keys. These public keys are publicly known and do not need certificates to ensure their authenticity. Thus, the problems associated with certificates can be eliminated. However, this kind of ID-PKC has an inherent key escrow issue, namely the Private Key

∗ Corresponding author. Tel.: +886 2 2939 3091x62328. E-mail addresses: [email protected] (R. Tso), [email protected] (X. Huang), [email protected] (W. Susilo). 0164-1212/$ – see front matter © 2012 Elsevier Inc. All rights reserved. doi:10.1016/j.jss.2012.01.016

Generator (PKG) (which generates private keys for users) has all users’ private keys. This requires the full trust on the PKG. Certificateless cryptography was proposed to solve the key escrow problem inherent in ID-based cryptography on the one hand and to eliminate the use of certificates in the conventional PKI on the other hand. It was first introduced by Al-Riyami and Paterson in 2003. In a certificateless cryptosystem, the third party, which is called KGC, only generates partial private keys for users while users independently generate their own public/secret key pairs. Cryptographic operations in the system are performed successfully only when both the partial key and the secret key are known. This way, the KGC is unable to obtain secret keys of users and the key escrow problem can be overcome in certificateless public key cryptography. Following Al-Riyami and Paterson’s pioneering work (Al-Riyami and Paterson, 2003), many certificateless cryptographic schemes (Au et al., 2007; Gorantla and Saxena, 2005; Huang et al., 2005, 2007; Tso et al., 2008, 2011; Yap et al., 2006; Yum and Lee, 2004; Zhang et al., 2006) have been proposed recently. Since there is no certificate to ensure the authenticity of the user’s public key in certificateless public key cryptography, it is necessary to assume that an adversary is able to replace the public key with a false key of its choice, which is also known as key replacement attack. One assumption in certificateless public key cryptography is that KGC never mounts the key replacement attack.

1410

R. Tso et al. / The Journal of Systems and Software 85 (2012) 1409–1417

Short signatures can provide a high security level with relatively short signature length. As an example, BLS (Boneh et al., 2001) short signature has half the size of a DSA signature for a similar level of security. Short signatures have many potential applications in real life. For example, as mentioned in Bellare and Neven (2006), wireless devices such as PDAs, cell phones, RFID chips and sensors, have a short battery life. Communicating even one bit of data uses significantly more power than executing one 32-bit instruction (Barr and Asanovic, 2003). Thus, reducing the number of bits in communication saves power and is important to increase the battery life. Also, in many settings, communication channels are not reliable, and thus the number of bits one send should be kept as few as possible. Recently, short signatures have been investigated intensively and many short signature schemes have been proposed (Boneh and Boyen, 2004; Tso et al., 2009; Zhang et al., 2003). We believe it is worthwhile to introduce the notion of short signatures into certificateless cryptography, and design certificateless signatures with short signature length.

signature is existentially unforgeable and, given signatures on some message m, the adversary cannot produce a new signature on m. Short signatures are clearly strongly unforgeable since each message has a unique signature. • The proposed scheme not only enjoys a high security level, but is also very efficient. Signing a message requires only one exponentiation and one multiplication in a multiplicative cyclic group G1 , and signature verification requires only 2 pairing (on-line) operations.

1.1. Motivations

2. Preliminaries

The first certificateless signature scheme with short signature length was introduced by Huang et al. (2007) in ACISP 2007. This notion has come into limelight in recent years (Du and Wen, 2009; Fan et al., 2009; Tso et al., 2008, 2011). On the one hand, the property of “certificateless” overcomes the certificate management problem in traditional-PKI-based signature schemes and eliminate the key-escrow problem in ID-based signature schemes. On the other hand, due to the short signature length, they can be applied in systems where signatures are typed in by human or systems with low-bandwidth channels, such as PDAs or cell phones. However, it appears that there is a trade-off between certificateless short signature schemes and their security levels. It was first mentioned by Tso et al. in 2011 that all known certificateless short signature schemes are provably secure against the adversary who can replace a user’s public key PK with PK , but can only obtain valid signatures under PK instead of PK . While such adversaries captures the essence of key replacement attacks, they are certainly weaker than other types of adversaries defined in Huang et al. (2007) and Zhang et al. (2006) where key replacement attackers are also allowed to obtain valid signatures under the false public key PK . It remains as an open problem to construct certificateless short signature schemes with a higher security level than the existing ones (Du and Wen, 2009; Fan et al., 2009; Tso et al., 2008, 2011).

In this section, we briefly review the definition for groups equipped with a bilinear map and some complexity assumptions which will be used for our security proofs. We will also review the definitions of certificateless signatures and their security models.

1.2. Our contributions In this paper, we first define a new type of key replacement attacks against certificateless signatures. We then describe a secure short certificateless signature scheme which has the following features: • The signature size of our scheme is as short as BLS short signature (Boneh et al., 2001). • When compared with all other CLS schemes (Du and Wen, 2009; Fan et al., 2009; Huang et al., 2007; Tso et al., 2008, 2011) with short signature sizes, our scheme is the only one with provable security against key replacement attackers who can obtain valid signatures under false public keys. Existing short certificateless signature schemes provide security against key replacement attackers who can obtain valid signatures only under the authentic public key. • The security of our scheme is based on the classic complexity assumption – Computational Diffie–Hellman (CDH) assumption. • The proposed scheme is strongly unforgeable (Boneh et al., 2006). A signature system is said to be strongly unforgeable if the

Organization of this paper. The rest of this paper is organized as follows. In Section 2, we give some preliminaries required throughout this paper and gives a new type of key replacement attacks against certificateless signatures. Section 3 describes the proposed short certificateless signature scheme, whose security analysis is given in Section 4. Section 5 gives the performance comparison of our scheme with other schemes and the conclusion is given in Section 6.

2.1. Bilinear groups and complexity assumptions Let G1 , G2 be two multiplicative cyclic groups of order p for some large prime p. Our scheme makes use of the bilinear map eˆ : G1 × G1 → G2 between these two groups. The bilinear map should satisfy the following properties: 1. Bilinear: A map eˆ : G1 × G1 → G2 is bilinear if eˆ (g a , hb ) = eˆ (g, h)ab for all g, h ∈ G1 and a, b ∈ Z∗p . 2. Non-degenerate: The map does not send all pairs in G1 × G1 to the identity in G2 . Observe that since G1 , G2 are groups of prime order this implies that if g is a generator of G1 , then eˆ (g, g) is a generator of G2 . 3. Computable: There is an efficient algorithm to compute eˆ (g, h) for any g, h ∈ G1 . A bilinear map satisfying the above three properties is said to be an admissible bilinear map. We can make this map using the Weil pairing or the Tate pairing (Barreto et al., 2002, 2003; Boneh et al., 2001). Next, we describe the complexity assumptions which are required for the security proof of our scheme. Definition 1 (Computational Diffie–Hellman (CDH) problem). Let G be a multiplicative cyclic groups of order p for some large prime p. Let also g be a generator of G, the challenger chooses a, b ∈ Z∗p at random and outputs (g, A = ga , B = gb ). The adversary then attempts to output g ab ∈ G. An adversary A is said to have advantage at least in solving the CDH problem if Pr[A(g, g a , g b ) = g ab ] ≥ where the probability is over the randomly chosen a, b and the random bits consumed by A. The CDH problem is first introduced by Diffie and Hellman (1976). We say the CDH problem is (t, )-secure if there is no ttime adversary can have advantage at least in solving the CDH problem. Definition 2 (Inverse Computational Diffie–Hellman (InvCDH) problem). Let G be a multiplicative cyclic groups of order p for some


large prime p. Let also g be a generator of G, the challenger chooses a ∈ Z∗p at random and outputs (g, ga ). The adversary then attempts −1

to output g a ∈ G. An adversary A is said to have advantage at least in solving the InvCDH problem if −1

1411

ability to replace the public key of any entity with a value of his choice. Type II adversary: This type of adversary AII models a malicious KGC who has access to the master key msk but cannot perform public key replacement.

Pr[A(g, g a ) = g a ] ≥ where the probability is over the randomly chosen a and the random bits consumed by A. The InvCDH problem is first studied by Pfitzmann and Sadeghi (2000). We say the InvCDH problem is (t, )-secure if there is no ttime adversary can have advantage at least in solving the InvCDH problem. Bao et al. (2003) showed the equivalence of CDH problem and InvCDH problem. In Theorem 8 of Section 4, we will show the reductions of time and success probability from InvCDH problem to CDH problem. 2.2. Certificateless signatures Following the definition in Al-Riyami and Paterson (2003), a certificateless signature scheme is specified by seven polynomial-time algorithms: Setup, Partial-Private-Key-Extract, Set-Secret-Value, Set-Private-Key, Set-public-Key, Sign and Verify. Setup. This algorithm takes as input a security parameter 1k and returns the system parameters params and the master secret key msk. Usually, this algorithm is run by the third party KGC. We assume throughout this paper that params are publicly and authentically available, but only the KGC knows msk. Partial-Private-Key-Extract. This algorithm takes the system parameter params, the master secret key msk and an identity ID as input. It returns a partial private key DID . Usually, this algorithm is run by the KGC and its output is sent to the user with identity ID over a confidential and authentic channel. Set-Secret-Value. This algorithm takes as input the system parameter params and an identity ID, and outputs a secret value xID . This algorithm is run by the identity ID for itself. Set-Private-Key. This algorithm takes the system parameter params, a partial private key DID and a secret value xID of an identity ID as input, and outputs the (full) private key SKID . This algorithm is run by the identity ID for itself. Set-Public-Key. This algorithm takes the system parameter params, an identity ID and the identity’s private key PKID as input, and outputs the public key PKID for the identity ID. Sign. This algorithm takes the system parameter params, an identity ID, the private key SKID of ID and a message M as input, and outputs a certificateless signature . Verify. This algorithm takes the system parameter params, an identity ID, the identity’s public key PKID and a message/signature pair (M, ) as input, and outputs true if the signature is correct, or false otherwise. 2.3. Security models In this section, we model the behavior of the potential adversaries against certificateless signatures, and provide the definition of the security for a certificateless signature scheme secure against such adversaries. As defined in Al-Riyami and Paterson (2003) and Zhang et al. (2006), there are two types of adversaries with different capabilities: Type I adversary: This type of adversary AI models a dishonest user who does not have access to the master key msk but has the

Generally, there are five oracles which can be accessed by adversaries according to game specifications (which will be given shortly). 1. Create-User: On input an identity ID ∈ {0, 1}* , if ID has already been created, nothing is to be carried out. Otherwise, the oracle runs the algorithms Private-Key-Extract, Set-Secret-Value, SetPublic-Key to obtain the partial private key DID , secret value xID and public key PKID . In this case, ID is said to be created. In both cases, PKID is returned. 2. Public-Key-Replace: On input an identity ID and a user public key PK ID , the original user public key of ID is replaced with PK ID if ID has been created. Otherwise, no action will be taken. 3. Secret-Value-Extract: On input an identity, it returns the corresponding user secret key xID if ID has been created. Otherwise, returns a symbol ⊥. Note that xID is the secret value associated with the original public key PKID . This oracle does not output the secret value associated with the replaced public key PK ID . 4. Partial-Private-Key-Extract: On input an identity ID, it returns the partial private key DID if ID has been created. Otherwise, returns a symbol ⊥. 5. SignSuper : This oracle takes as input a query (ID, m, PKID ), where ID denotes an identity, m denotes the message to be signed, and PKID is the public key which could be the original public key returned from the oracle Create-User or a value chosen by the adversary in the public key space. • If ID has not been created, returns ⊥. • If ID has been created, it outputs a signature such that true = Verify(params, ID, PKID , m, ). The standard notion of security for a signature scheme is existential unforgeability against adaptive chosen message attacks defined by Goldwasser et al. (1988). We use two games to define the existential unforgeability of a certificateless signature scheme against Type I adversary AI and Type II adversary AII . Game 1: This game is executed between a challenger C and an adaptive chosen message and chosen identity adversary AI . Setup: The challenger C runs the algorithm Setup of the certificateless signature scheme to obtain both the public parameter params and the master secret key msk. The adversary AI is given params but the master secret key msk is kept secret by the challenger. Queries: AI adaptively access all oracles defined in Section 2.3 in a polynomial number times. Forgery: Eventually, AI outputs a forgery (ID∗ , PK ID∗ , m∗ , ∗ ) and wins the game if 1. true = Verify(params, ID∗ , PK ID∗ , m∗ , ∗ ). 2. (ID* , m* ) has never been submitted to the oracle SignSuper . 3. ID* has never been submitted to the oracle Partial-Private-KeyExtract or Secret-Value-Extract. Definition 3. Let AdvAI to be the probability of a Type I adaptively chosen message and chosen identity adversary AI wins in the above game, taken over the coin tosses made by AI and the challenger. We say a certificateless signature scheme is secure against Type I adversary, if, for all probabilistic polynomial-time (PPT) adversary AI , the success probability AdvAI is negligible. Game 2: This game is executed between a challenger C and an adaptive chosen message and chosen identity adversary AII .

1412


Setup: The challenger C runs the algorithm Setup of the certificateless signature scheme to obtain both the public parameter params and the master secret key msk. The adversary AII is given both params and msk. Queries: AII adaptively access all oracles defined in Section 2.3 (except the Partial-Private-Key-Extract oracle) in a polynomial number times. Forgery: Eventually, AII outputs a forgery (ID∗ , PK ID∗ , m∗ , ∗ ) and wins the game if the following hold true: 1. true ← Verify(params, ID∗ , PK ID∗ , m∗ , ∗ ). 2. (ID* , m* ) has never been queried to the oracle SignSuper . 3. ID* has never been submitted to the oracle Secret-ValueExtract.

Definition 4. Let AdvAII be the probability of a Type II adaptively chosen message and chosen identity adversary AII wins in the above game, taken over the coin tosses made by AII and the challenger. We say a certificateless signature scheme is secure against Type II adversary, if for all probabilistic polynomial-time (PPT) adversary AII , the success probability AdvAII is negligible. Definition 5. A certificateless signature scheme is existentially unforgeable against adaptive chosen message and chosen identity attacks if it is secure against both Type I and Type II adversaries.

3. Proposed short certificateless signature scheme In this section, we describe a new construction of certificateless signatures with short signature length. It consists of the following algorithms: Setup: Let (G1 , G2 ) be bilinear groups of a prime order p ≥ 2k , where k is the security parameter of the scheme. Let eˆ : G1 × G1 → G2 be an admissible bilinear pairing. Let H0 : {0, 1}∗ → G∗1 , H1 : {0, 1}∗ → G∗1 be two secure cryptographic hash functions. In system initialization, KGC chooses a random number s ∈ Z∗p and an arbitrary generator g ∈ G1 . It then calculates Ppub = gs , and publishes params = {G1 , G2 , g, eˆ , H0 , H1 , Ppub }. The master secret key msk = s is kept as secret by KGC. Partial-Private-Key-Extract: Given an entity’s identity ID ∈ {0, 1}* , KGC sets QID = H0 (ID) and computes the entity’s partial pris . The partial private key D is sent to ID over a vate key DID = QID ID confidential and authentic channel. Set-Secret-Value: The entity ID chooses a random number xID ∈ Z∗p , which is set as the secret value of ID. Set-Private-Key: The entity ID sets his private key as SKID = (DID , xID ). Set-Public-Key: Given SKID , the entity ID computes the public key xID , Q xID ). PK ID = (PK (ID,1) , PK (ID,2) ) = (DID ID Sign: To sign a message m ∈ {0, 1}* , the entity ID computes the −1

2.3.1. A comparison with other security models As one can see, adversaries defined above are very similar to the super adversaries defined in Huang et al. (2007), namely adversaries are allowed to obtain valid signatures under any public keys chosen by itself in the public key space. The only difference is that adversaries in our model cannot request the secret value of the challenge user, while this is allowed in the definition in Huang et al. (2007). The super adversaries defined in Huang et al. (2007) are very powerful. However, it may not be a realistic model since it is usually very difficult for an adversary to obtain the secret value of a user. This is because that the secret value and the partial private key of a user are the most two important information for the user so they are usually kept secret in a very secure way. On the other hand, although our new defined adversary model is not as powerful as that in Huang et al. (2007), it is more powerful than those considered in the existing short certificateless signature schemes, where adversaries cannot request the secret value of the challenge user and can only access the following signing oracle:

signature = DID · H1 (m||ID||PK ID )xID . Verify: Given a message/signature pair (m, ) and ID’s public key PKID , the signature is verified by checking the following two equations. ?

eˆ (Ppub , PK (ID,2) )=ê(g, PK (ID,1) ) and ?

eˆ (, PK (ID,2) )=ê(PK (ID,1) · H1 (m||ID||PK ID ), QID ). If both equations are satisfied, this algorithm outputs true. Otherwise, it outputs false. Correctness: If the public key PKID and the signature are generated correctly according to the protocol specifications, then the correctness holds since xID s xID ) = eˆ (g, DID ) = eˆ (g, PK (ID,1) ) and eˆ (Ppub , PK (ID,2) ) = eˆ (g, QID

−1

xID ) eˆ (, PK (ID,2) ) = eˆ (DID · H1 (m||ID||PK ID )xID , QID −1

= eˆ (DID · H1 (m||ID||PK ID )xID , QID )xID −1

xID = eˆ (DID · H1 (m||ID||PK ID )xID xID , QID )

• SignNormal : This oracle takes as input a query (ID, m), where ID denotes the identity which has been created and m denotes the message. It outputs a signature such that true = Verify(params, ID, PKID , m, ). Here PKID is the public key returned from the oracle Create-User.

3.1. Further observations on our scheme

Based on social engineering, an adversary may be possible to see some message/signature pairs which are valid under the public key chosen by the adversary. Therefore, our new defined model is a more realistic model than that defined in Huang et al. (2007) and those considered in the existing short certificateless signature schemes. Since all the existing certificateless short signature schemes can only be proven secure against normal adversaries who can only access the signing oracle SignNormal , it is worthwhile to have a new short certificateless signature scheme which is proven secure under a more powerful and realistic adversary model in which an adversary is allowed to access the signing oracle SignSuper .

As one can see, there are two equations in the verification phase. The first equation verifies the validity of the public key PKID = (PK(ID,1) , PK(ID,2) ) and the second equation verifies the correctness of the signature . The current scheme is well designed as the adversary cannot obtain any advantage by replacing the public key. So, these two equations together can ensure the security of our scheme. Our proposed scheme belongs to conventional certificateless signatures, which can only achieve Girault’s Level-2 security (Girault, 1991; Hu et al., 2007). That is, KGC must be semi-trusted since it can always impersonate a user by generating a valid publickey/secret-value pair. Girault’s Level-3 security guarantees that without KGC’s assistance, there are no two valid public keys. In

= eˆ (PK (ID,1) · H1 (m||ID||PK ID ), QID ).


other words, the co-existence of two valid public keys is the proof of the misbehavior of KGC. Based on the idea proposed by Wu et al. in 2009, one can always modify any certificateless signature into a certificate-based signature in order to achieve the Girault’s Level-3 security. However, in a certificate-based signature scheme, Girault’s Level-3 security is achieved at the sacrifice of a remarkable feature of certificateless cryptosystems. That is, in a certificateless cryptosystem, the public key PKID of an entity ID can be updated at any time by the entity without changing the partial private key. In other words, one can change the public key by himself/herself, and in particular this process does not need any assistance from KGC. This is the most difference between a certificateless public key cryptography with a certificate-based public key cryptography.

4. Security proofs In this section, we prove that our scheme is secure against Type I and Type II adversaries defined in Section 2.3. In our model, an adversary is able to access the Super Signing Oracle, SignSuper , by which the adversary can obtain valid signatures under the replaced keys without providing the corresponding secret value. This oracle gives adversaries more attack power than those considered in the existing short certificateless signature schemes. Theorem 6 (Unforgeability against Type I adversary). If there exists a Type I adaptively chosen message and chosen ID adversary AI who can ask at most qC Create-User queries, qKEx Partial-PrivateKey-Extract queries, qVEx Secret-Value-Extract queries and qS super signing queries, SignSuper , and can break the proposed scheme in polynomial time with success probability ε, then there exists an algorithm F which, by using AI as a black box, can solve the CDH problem (DefiniCDH tion 1) with probability AdvF ≥ (1 − (1/qC ))qPKEx +qVEx (1 − (1/(qS + qS 1))) (1/(qC (qS + 1)))ε. Proof. If there exists an adversary AI who can break the unforgeability of the proposed scheme via Type I attacks defined in Section 2.3, then we can construct an algorithm F such that F can use AI as a black-box and solve a random instance of the CDH problem. Let (G1 , G2 ) be bilinear groups with bilinear mapping eˆ . Let g be a generator of G1 and let a, b be two random numbers of Z∗p chosen by the CDH challenger C. C computes g1 = ga , g2 = gb and sends the challenge (g, g1 , g2 ) to F. The purpose of F is to find gab , which is the solution to the given instance of CDH problem. In the proof, F will act as the challenger of AI by simulating the oracles defined in Section 2.3. The hash functions H0 , H1 in the proof are regarded as random oracles. Due to the ideal randomness of random oracles, we may assume that AI is well-behaved in the sense that it always makes an H1 -hash query of m||ID||PKID before it requests a signature for m under ID’s public key PKID . In addition, it always makes an H1 -hash query of m∗ ||ID∗ ||PK ∗ID before it outputs the forgery of m* . It is trivial to modify any adversary-algorithm AI to satisfy this property. Setup: F starts by computing Ppub = g1 = ga . F then sends params = (G1 , G2 , eˆ , g, Ppub ) to AI . Query: At any time, AI is allowed to access the following oracles in a polynomial number of times. These oracles are all simulated by F. 1. Create-User: AI can query this oracle by providing an identity IDi . In response to these queries, F first chooses a random number t ∈ {1, . . ., qC }. k i

/ t, F chooses ki , ki ∈R Z∗p and sets H0 (IDi ) = g , (1) If i = ki k

PK (IDi ,1) = g1 , i

PK (IDi ,2) = g

ki k i

.

In

this

case,

the

1413

corresponding partial private key of the entity IDi is

k

DIDi = H0 (IDi )a = g aki = g1i and the secret value is xIDi = ki .

(2) If i = t, F chooses kt , kt ∈R Z∗p and sets H0 (IDt ) = g2 · g kt , PK (IDt ,1) = g1kt , PK (IDt ,2) = g kt . In this case, F will set DIDt = xIDt =⊥ which means that it cannot compute the secret value and the partial private key of IDt . In both cases, the tuple (IDi , H0 (IDi ), DIDi , xIDi , PK IDi ) will be added on the C-List which is initially empty. The adversary AI is given the response H0 (IDi ) and PK IDi = (PK (IDi ,1) , PK (IDi ,2) ). 2. Partial-Private-Key-Extract: At any time, AI can query this oracle by giving an identity IDi . F outputs a symbol ⊥ if IDi has not been created. Else, if IDi has been created and i = / t, F responds k

with DIDi = g1i . Otherwise, F returns failure and terminates the simulation. 3. Public-Key-Replace: AI can request to replace the public key PK IDi of an entity IDi with a new public key PK ID chosen by AI . i

In response, F replaces the original public key PK IDi with PK ID i if IDi has been created. Otherwise, it outputs ⊥. Notice that the replacement of a public key does not require the secret value corresponding to the new public key. 4. Secret-Value-Extract: Given an identity IDi chosen by AI , F outputs ⊥ if IDi has not been created yet. Else, if IDi has been / t, F sends xIDi = ki to AI as the response. created and i = Otherwise, i = t and F reports failure and terminates the simulation. 5. H1 queries: AI can query the random oracle H1 at any time by making a request ωi of the form ωi = mj ||IDk ||PK ID . F k returns ⊥ if IDk has not been created. Otherwise, for the ith H1 query • If IDk = / IDt , F first checks the C-List. (1) If (IDk , , , , PK ID ) is in the C-List, F picks a random elek ment Ri and sets H1 (ωi ) = Ri . (2) Otherwise, (IDk , , , PK ID ) is not in the C-List, which means k

that PK ID is generated by AI itself. F picks i ∈ Z∗p rank

i domly and sets H1 (ωi ) = PK (ID

k ,2)

/PK (ID

k ,1)

. Here, PK ID = k

(PK (ID ,1) , PK (ID ,2) ). k k • Otherwise, IDk = IDt , F first flips a biased-coin which outputs i ∈ {0, 1} with Pr[ i = 1] = and Pr[ i = 0] = 1 − (the value of will be optimized later). (1) If i = 1, F picks a random i ∈ Z∗p and sets H1 (ωi ) = i PK (IDt ,2) . (2) If i = 0, F picks a random i ∈ Z∗p and sets H1 (ωi ) = i PK (IDt ,2) /PK (IDt ,1) .

In both cases, F sends H1 (ωi ) to AI and adds (mj , i , ωi , H1 (ωi )) (in the case IDk = / IDt ) or (mj , i , ωi , H1 (ωi ), i ) (in the case IDk = IDt ) on the H1 -List which is initially empty. 6. SignSuper : For each sign query on an input (mj , IDk , PK ID ), F outk puts ⊥ if IDk has not been created. Otherwise, IDk has already been created. Since we assume that AI is well-behaved, AI has already queried the random oracle H1 on the input ωi = (mj ||IDk ||PK ID ). k

• If IDk = / IDt , and (1) (IDk , H0 (IDk ), DIDk , xIDk , PK ID ) is in the C-List, F uses the k private key (xIDk , DIDK ) of IDk and H1 (ωi ) on the H1 -List to generate the valid signature i for the message mj and the identity IDk . (2) (IDk , , , , PK ID ) is not in the C-List, which means that PK ID

k

k

is generated by AI itself, F sets i = H0 (IDk )i .

Note that i is a valid signature on mj and PK ID =

(PK (ID

k ,1)

, PK (ID

k ,2)

means that PK (ID tion

) if PK ID

k ,1)

eˆ (PK (ID ,1) , g) k

k

k

= PK a (ID

= eˆ (PK (ID

is well-generated (which

k ,2)

as they satisfy the equa-

, Ppub )). k ,2)

Assume PK (ID

k ,2)

=

1414


H0 (IDk )r for some unknown r. The correctness of i can be verified according to the following equation: i = DIDk · H1 (ωi )r

−1

= H0 (IDk )a · H1 (ωi )r

= (H0 (IDk )ar · H1 (ωi ))r

−1

= (PK a (ID

= (PK (ID

k

r ,1) · H1 (ωi ))

r −1

= PK (IDi

k ,2)

−1

=

= H0 (IDk )ri r

−1

k ,2)

PK (ID

−1

CDH

−1

r −1

· PK (IDi

PK (ID

k ,2)

k ,1)

= H0 (IDk )i .

In both cases, F returns i to AI . • If IDi = IDt , then, F first checks the H1 -List. (1) If i = 1, F reports failure and terminates the simulation. (2) Otherwise, i = 0 and F sets i = H0 (IDt )i and returns i to F. Here i is the value on the H1 -List. The correctness of i can be verified in the same way as described above. Forgery: After all queries, AI outputs a forgery (ID∗ , PK ∗ID , m∗ , ∗ ) and wins the game if * is a valid forgery. By assumption, H1 (m∗ ||ID∗ ||PK ∗ID ) is on the H1 -List, where PK ∗ID could be a new public key replaced by AI or the original public key generated by the oracle Create-User. If ID* = / IDt , then F outputs failure and terminates the simulation. Otherwise, ID* = IDt and F will check the H1 -List. (1) If * = 0, F outputs failure and terminates the simulation. ∗i (2) Otherwise, * = 1 and H1 (m∗ ||ID∗ ||PK ∗ID ) = PK (ID . Suppose t ,2) ∗

PK ∗(IDt ,2) = H0 (IDt )r for some unknown r* . Since * is a valid forgery under the public key PK ∗IDt = (PK ∗(IDt ,1) , PK ∗(IDt ,2) ), it follows that eˆ (Ppub , PK ∗(IDt ,2) ) = eˆ (g, PK ∗(IDt ,1) ). Thus, we ∗

r a have PK ∗(IDt ,1) = PK ∗a . Moreover, from the (IDt ,2) = H0 (IDt ) second equation in the verification algorithm, we have ∗ =

DIDt · H1 (m∗ ||ID∗ ||PK ∗ID )r

∗−1

∗ r ∗−1 t ,2)

= DIDt · PK (IDt

= DIDt · H0 (IDt )i .

As ID* = IDt , Ppub = g1 = ga and H0 (IDt ) = g2 · g kt , this implies kt

CDH

AdvF

· H1 (ωi ))r

k ,1)

AdvF ≥ (1 − (1/qC ))qPKEx +qVEx (1 − )qS (/qC )ε. (1 − )qS is maximized at = 1/(qS + 1). Thus,

that DIDt = H0 (IDt )a = g2a · g akt = g ab · g1 . Therefore, F can k

compute DIDt as * /H0 (IDt )i and obtain g ab = DIDt /g1t , which is the solution to the CDH problem. It remains to compute the probability that F solves the CDH problem. Actually, F succeeds if:

≥

1−

1 qC

qPKEx +qVEx

1−

1 qS + 1

qS

The

function

1 ε. qC (qS + 1)

This completes the proof of Theorem 6. Theorem 7 (Unforgeability against Type II adversary). If there exists a Type II adaptively chosen message and chosen ID adversary AII who can ask at most qC Create-User queries, qVEx Secret-Value-Extract queries and qS SignStrong queries, respectively, and can break the proposed scheme in polynomial time with success probability ε, then there exists an algorithm F which, by using AII as a black box, can solve Inv the InvCDH problem 2 with probability AdvF ≥ (1 − (1/qC ))qVEx (1 − (1/(qS + 1)))qS (1/qC (qS + 1))ε. Proof. If there exists an adversary AII who can break the unforgeability of the proposed scheme via Type II attacks, then we can construct an algorithm F such that F can use AII as a black-box and −1 find g a for any given pair (g, g a ) ∈ G21 . Let g be a generator of G1 , and let the bilinear mapping be eˆ : G1 × G1 → G2 . Let a ∈ Z∗p be a random number chosen by the challenger C. At beginning, C sends the challenge (g, ga ) to F. The −1 purpose of F is to find g a . In the proof, F will act as the challenger of AII by simulating the oracles defined in Section 2.3. Hash functions H0 , H1 are regarded as random oracles in the proof. Under this assumption, we may assume that AII is well-behaved in the sense that it always makes an H1 -hash request of m||ID||PKID before it requests a signature for m corresponding to the public key PKID . In addition, it always makes an H1 -hash request of m∗ ||ID∗ ||PK ∗ID before it outputs the forgery of m* . It is trivial to modify any adversary-algorithm AII to have this property. Setup: F sets Ppub = gs where s is randomly chosen in Z∗p . F then sends params = (G1 , G2 , eˆ , g, Ppub ) together with the master secret key s to AII . Query: At any time, AII is allowed to access the following oracles in polynomial time. These oracles are all simulated by F. Note that there is no oracle Partial-Private-Key-Extract in this proof as AII has already obtained the master secret key s. (This enables AII to compute any partial private keys.) 1 Create-User: AII can query this oracle by providing an identity IDi . In response to these queries, F first chooses a random number t ∈ {1, . . ., qC }. k

1 : F does not abort during the simulation. 1 : * is a valid forgery on (ID∗ , PK ∗ID , m∗ ). 1 : ID* = IDt and * = 1. CDH

advantage of F is AdvF = Pr[ 1 ∧ 2 ∧ 3 ] = The Pr[ 1 ] · Pr[ 2 | 1 ] · Pr[ 3 | 1 ∧ 2 ]. If 1 happens, then: • F does not output failure during the simulation of the oracle Partial-Private-Key-Extract. This happens with probability (1 − (1/qC ))qPKEx . • F does not output failure during the simulation of the oracle Secret-Value-Extract. This happens with probability (1 − (1/qC ))qVEx . • F does not output failure during the simulation of signSuper oracle. This happens with probability (1 − (1/qC ))qS ≥ (1 − )qS . Therefore, Pr[ 1 ] ≥ (1 − (1/qC ))qPKEx +qVEx (1 − )qS . In addition, Pr[ 2 | 1 ] = ε and Pr[ 3 | 1 ∧ 2 ] = /qC . It follows that

/ t, F chooses ki , ki ∈R Z∗p and sets H0 (IDi ) = g i , (1) If i = ki k i

PK (IDi ,1) = Ppub , PK (IDi ,2) = g

ki k

i

. In this case, the correspond-

ing partial private key of the entity IDi is DIDi = H0 (IDi )s =

g ski and the secret value is xIDi = ki .

(2) If i = t, F chooses kt ∈R Z∗p and sets H0 (IDt ) = g kt , PK (IDt ,1) =

g askt , PK (IDt ,2) = g akt . Note that a is unknown to F. In this

case, F will set DIDt = g skt and xIDt =⊥ which means that it cannot compute the secret value of IDt . In both cases, F sends H0 (IDi ) and PK IDi = (PK (IDi ,1) , PK (IDi ,2) ) to AII , and adds (IDi , H0 (IDi ), DIDi , xIDi , PK IDi ) to C-List which is initially empty. 2. Public-Key-Replace: AII can request to replace the public key PK IDi of an entity IDi with a new public key PK ID chosen by AI i itself. Upon receiving such a request, F will replace the original public key PK IDi with PK ID if IDi has been created. Otherwise, F i outputs ⊥. Notice that the replacement of a public key does not require the secret value corresponding to the new public key. 3. Secret-Value-Extract: Given IDi chosen by AII , F outputs ⊥ if IDi has not been created. Else, if IDi has been created and i = / t,


F responds with xIDi = ki . Otherwise, i = t and F reports failure and terminates the simulation. 4. H1 queries: AII can query the random oracle H1 at any time by making a request ωi of the form ωi = mj ||IDk ||PK ID . F returns ⊥ k if IDk has not been created. Otherwise, for the ith H1 query • If IDk = / IDt , F first checks the C-List. (1) If (IDk , , , , PK ID ) is in the C-List, F picks a random elek ment Ri and sets H1 (ωi ) = Ri . (2) Otherwise, (IDk , , , PK ID ) is not in the C-List, which means k

that PK ID is generated by AII itself. F picks i ∈ Z∗p rank

i domly and sets H1 (ωi ) = PK (ID

(PK (ID ,1) , PK (ID ,2) ). k k

k ,2)

/PK (ID

k ,1)

. Here, PK ID = k

• Otherwise, IDk = IDt , F first flips a biased-coin which outputs i ∈ {0, 1} with Pr[ i = 1] = and Pr[ i = 0] = 1 − (the value of will be optimized later). (1) If i = 1, F picks a random i ∈ Z∗p and sets H1 (ωi ) = gi . (2) Otherwise, i = 0. F picks a random i ∈ Z∗p and sets i H1 (ωi ) = PK (IDt ,2) /PK (IDt ,1) . In both cases, F sends H1 (ωi ) to AII , and adds (mj , i , ωi , H1 (ωi )) if (IDk = / IDt ) or (mj , i , ωi , H1 (ωi ), i ) (if IDk = IDt ) on the H1 -List which is initially empty. 5. SignSuper : For each sign query on (mj , IDk , PK ID ), F outputs ⊥ if k IDk has not been created. Otherwise, IDk has already been created. Since we assume that AII is well-behaved, AII has already queried the random oracle H1 on the input ωi = (mj ||IDk ||PK ID ). k • If IDj = / IDt , and (1) (IDk , H0 (IDk ), DIDk , xIDk , PK ID ) is in the C-List, F can use k the private key (xIDk , DIDK ) of IDk and H1 (ωi ) on the H1 List to generate the valid signature i for the message mj and the identity IDk . (2) (IDk , , , , PK ID ) is not in the C-List, which means that PK ID

k

k

is generated by AII itself, F sets i = H0 (IDk )i .

Note that i is a valid signature on mj and PK ID = k

(PK (ID ,1) , PK (ID ,2) ) if PK ID is well-generated (which k k k means that PK (ID ,1) = PK a (IDk ,2) as they satisfy the equak tion eˆ (PK (ID ,1) , g) = eˆ (PK (ID ,2) , Ppub )). Assume PK (ID ,2) = k k k H0 (IDk )r for some unknown r. The correctness of i can be verified according to the following equation i = DIDk · H1 (ωi )r

−1

= (PK s (ID

k ,2)

= (PK (ID

k

r ,1) · H1 (ωi ))

−1

=

· H1 (ωi ))r

−1 i

. Therefore, F can compute g a

−1

−1

1 : F does not abort during the simulation. 1 : * is a valid forgery on (ID∗ , PK ∗ID , m∗ ). 1 : ID* = IDt and * = 1. Inv

Thus, the advantage of F is AdvF = Pr[ 1 ∧ 2 ∧ 3 ] = Pr[ 1 ] · Pr[ 2 | 1 ] · Pr[ 3 | 1 ∧ 2 ]. If 1 happens, then • F does not output failure during the simulation of the oracle Secret-Value-Extract. This happens with probability (1 − (1/qC ))qVEx . • F does not output failure during the simulation of SignSuper oracle. This happens with probability (1 − (1/qC ))qS ≥ (1 − )qS . Pr[ 1 ] ≥ (1 − (1/qC ))qVEx (1 − )qS . In addition, Therefore, Pr[ 2 | 1 ] = ε and Pr[ 3 | 1 ∧ 2 ] = /qC . It follows that Inv AdvF ≥ (1 − (1/qC ))qVEx (1 − )qS (/qC )ε. The function (1 − )qS is maximized at = 1/(qS + 1). Thus, Inv

AdvF ≥

1−

1 qC

qVEx

1−

1 qS + 1

qS

1 ε. qC (qS + 1)

This completes the proof of Theorem 7. Bao et al. (2003) showed the equivalence of CDH problem and InvCDH problem. In which follows, we will show the reductions of time and success probability from InvCDH problem to CDH problem. −1

Theorem 8. Suppose there is an algorithm F that can output g a on input of any given g, g a ∈ G∗1 with probability ı, in expected time bound T. Then there is another algorithm M which can solve the CDH problem and output gab on input of any given g, g a , g b ∈ G∗1 with probability ε3 in expected time 3T. From F, we can construct an algorithm M as follows:

1. M’s input is g, g a , g b ∈ G∗1 .

−1

2. M runs F with input ga , g (g can be used as g a a ). If F outputs 2 Y1 = g aa = g a , then go to the next step. −1 2 3. M runs F with input g b , g = g b b . If F outputs Y2 = g bb = g b , then go to the next step.

r −1

k ,1)

4. M runs F with input g a g b = g a+b , g = g (a+b)

= H0 (IDk )i .

(a+b) .

2

Y3 = g (a+b) , then go to the next step.

In both cases, F returns i to AII . • If IDi = IDt , then F first checks the H1 -List. (1) If i = 1, F reports failure and terminates the simulation. (2) Otherwise, i = 0 and F sets i = H0 (IDt )i which is sent to AII . Here i is the value on the H1 -List. The correctness of i can be verified in the same way as described above. Forgery: After all queries, AII outputs a forgery (ID∗ , PK ∗ID , m∗ , ∗ ) and wins the game if * is a valid forgery. By assumption, H1 (m∗ ||ID∗ ||PK ∗ID ) is on the H1 -List, where PK ∗ID must be the original public key generated by the oracle Create/ IDt , then F outputs failure and terminates the User. If ID* = simulation. Otherwise, ID* = IDt and F will check the H1 -List. (1) If * = 0, F outputs failure and terminates the simulation. (2) Otherwise, * = 1 and H1 (m∗ ||ID∗ ||PK ∗ID ) = g ∗i is on the H1 -List. Since * is a valid forgery and ID* = IDt , according to the veri−1

fication algorithm, we have ∗ = DIDt · H1 (m∗ ||ID∗ ||PK ∗ID )a

i

It remains to compute the probability that F can find g a . F will succeed if:

−1

r −1 k ,2)

= PK (IDi

−1

as ( ∗ /DIDt )

where DIDt = g skt is computed by F itself at step (2) of the Create-User query phase.

Proof.

−1

· PK (IDi ,2) k PK (ID ,1) k

PK (ID

DIDt · g a

1415

=

If F outputs

−1

5. M computes and outputs Y = (Y3 /(Y1 · Y2 ))2 . −1

Obviously, Y = (Y3 /(Y1 · Y2 ))2 = g ab . Hence, in expected time 3T, M can solve the CDH problem with success probability ı3 . With Theorems 7 and 8, we can get the conclusion that the proposed scheme is secure against type II adaptively chosen message and chosen ID adversary under the hardness assumption of CDH Problem in the random oracle model. 5. Comparison among existing certificateless signature schemes with short signature length In this section, we compare the proposed certificateless short signature scheme with other existing certificateless short signature schemes from the aspect of security, hardness assumption and computation cost required by a signer and a verifier, respectively.

1416


Table 1 Security levels and performance evaluation. Schemes

Adversary with oracle SignSuper

Hardness assumption

Cost sign-phase

Cost verify-phase

Proposed TYH (Tso et al., 2008, 2011) HMS (Huang et al., 2007) DW (Du and Wen, 2009) FHH (Fan et al., 2009)

Secure Insecure Insecure Insecure Insecure

CDH Modified k-CAA CDH k-CAA N/A

1EG1 1EG1 1EG1 1EG1 1EG1

2ê + 1EG1 1ê + 1EG1 2ê 1ê 1ê + 1EG1

We consider the most costly computations only such as pairing and exponentiation operations in G1 . In addition, some pre-computable operations are not included in the comparison. (For example, the computation of eˆ (g, g), eˆ (H0 (ID), Ppub ) of other schemes and the computation of eˆ (Ppub , PK (ID,2) ), eˆ (PK (ID,1) , g) of our scheme.) We denote by eˆ a computation of the pairing, EG1 an exponentiation in G1 , and EG2 an exponentiation in G2 . As shown in Table 1, signature generation in our scheme is almost as efficient as other schemes, but signature verification requires a little more computational cost. However, our scheme is the only certificateless signature scheme with short signature length and is secure against adversaries providing with super signing oracle SignSuper defined in this paper. To show that all the existing certificateless short signature schemes are not secure against this adversary, assume a strong adversary exists in their schemes. The adversary F can query a super signing oracle SignSuper with a false public key chosen by itself (and F also knows the corresponding secret value). Using the valid signature outputted from SignSuper and the secret value, then the partial private key can be extracted. Now, since F knows both the secret value and the partial private key of the target user, F can of course forge any signature on behalf of the target user. On the other hand, our scheme is well designed as the adversary cannot obtain any advantage by replacing the public key. 6. Conclusion In this paper, we proposed an efficient certificateless signature scheme which has a signature-length as short as Boneh et al.’s short signature. Furthermore, it is the only short certificateless signature scheme with provable security against a stronger adversary. The adversary defined in our model is given valid signatures under any public keys (in the public key space) chosen by itself. Our model captures the attack scenario that the adversary can obtain message/signature pairs which are valid under the public key chosen by the adversary without providing the corresponding secret value. This is the strongest one among all attackers considered in short certificateless signature schemes. We believe the new scheme is more suitable for systems with low-bandwidth channels and/or low-computation power but requiring a higher security level. References Au, M.H., Chen, J., Liu, Joseph K., Mu, Y., Duncan, Wong, S., Yang, G., 2007. Malicious KGC attacks in certificateless cryptography. In: Proceedings of ASIACCS’07, pp. 302–311. Al-Riyami, S.S., Paterson, K.G., 2003. Certificateless public key cryptography. Advances in Cryptology-ASISCRYPT’03. Lecture Notes in Computer Science 2894, 452–473. Bao, F., Deng, R.H., Zhu, H., 2003. Variations of Diffie–Hellman problem. Proceedings of ICICS’03. Lecture Notes in Computer Science 2836, 301–312. Barr, K., Asanovic, K., 2003. Energy aware lossless data compression. In: Proceedings of the ACM Conference on Mobile Systems, Applications, and Services (MobiSys). Barreto, P.S.L.M., Kim, H.Y., Lynn, B., Scott, M., 2002. Efficient algorithm for pairingbased cryptosystems. Advances in Cryptology-CRYPTO’02. Lecture Notes in Computer Science 2442, 354–369. Barreto, P.S.L.M., Lynn, B., Scott, M., 2003. On the selection of pairing-friendly groups. Proceedings of SAC’03. Lecture Notes in Computer Science 3006, 17–25.

Bellare, M., Neven, G., 2006. Multi-signatures in the plain public-key model and a general forking lemma. In: Proceedings of the 13th ACM Conference on Computer and Communication Security, pp. 390–398. Boneh, D., Boyen, X., 2004. Short signatures without random oracles. Advances in Cryptology-EUROCRYPT’04. Lecture Notes in Computer Science 3027, 56–73. Boneh, D., Lynn, B., Shacham, H., 2001. Short signatures from the Weil pairing. Advances in Cryptology-ASIACRYPT’01. Lecture Notes in Computer Science 2248, 514–533. Boneh, D., Shen, E., Waters, B., 2006. Strongly unforgeable signatures based on computational Diffie–Hellman. Proceedings of PKC’06. Lecture Notes in Computer Science 3958, 229–240. Diffie, W., Hellman, M., 1976. New directions in cryptography. In: IEEE Transactions on Information Theory, IT, vol. 2 (6), pp. 644–654. Du, H., Wen, Q., 2009. Efficient and provably-secure certificateless short signature scheme from bilinear pairings. International Journal of Computer Standards & Interfaces 31, 390–394. Fan, C., Hsu, R., Ho, P. Cyptanalysis on Du–Wen certificateless short signature scheme. In Proceedings of JWIS09. Available at http://jwis2009.nsysu.edu.tw/location/paper/Cryptanalysis. Girault, M., 1991. Self-certified public keys. Advances in Cryptology-EUROCRYPT’91. Lecture Notes in Computer Science 547, 490–497. Goldwasser, S., Micali, S., Rivest, R.L., 1988. A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal of Computing 17 (2), 281–308. Gorantla, M.C., Saxena, A., 2005. An efficient certificateless signature scheme. Proceedings of CIS’05. Lecture Notes in Artificial Intelligence 3802 (II), 110–116. Hu, B.C., Wong, D.S., Zhang, Z., Deng, X., 2007. Certificatelss signature: a new security model and an improved generic construction. Designs, Codes and Cryptography 42 (2), 109–126. Huang, X., Mu, Y., Susilo, W., Wong, D.S., Wu, W., 2007. Certificateles signature revisited. Proceedings of ACISP’07. Lecture Notes in Computer Science 4586, 308–322. Huang, X., Susilo, W., Mu, Y., Zhang, F., 2005. On the security of certificateless signature schemes from Asiacrypt 2003. Proceedings of CANS’05. Lecture Notes in Computer Science 3810, 13–25. Pfitzmann, B., Sadeghi, A., 2000. Anonymous fingerprinting withdirect nonrepudiation. Advances in Cryptology-ASISCRYPT’00. Lecture Notes in Computer Science 1976, 401–414. Shamir, A., 1984. Identity-based cryptosystems and signature schemes. Advances in Cryptology-CRYPTO’84. Lecture Notes in Computer Science 0196, 47–53. Tso, R., Okamoto, T., Okamoto, E., 2009. Efficient short signatures from pairing. In: Proceedings of ITNG’09, pp. 417–422. Tso, R., Yi, X., Huang, X., 2008. Efficient and short certificateless signature. Proceedings of CANS’08. Lecture Notes in Computer Science 5339, 64–79. Tso, R., Yi, X., Huang, X., 2011. Efficient and short certificateless signatures secure against realistic adversaries. The Journal of Supercomputing 55 (2), 173–191. Wu, W., Mu, Y., Susilo, W., Huang, X., 2009. Certificate-based signature revisited. Journal of Universal Computer Science 15 (8), 1659–1684. Yap, W.L., Heng, S.H., Goi, B.M., 2006. An efficient certificteless signature. Proceedings of EUC Workshops’06. Lecture Notes in Computer Science 4097, 322–331. Yum, D.H., Lee, P.J., 2004. Generic construction of certificateless signature. Proceedings of ACISP’04. Lecture Note in Computer Science 3108, 200–211. Zhang, F., Safavi-Naini, R., Susilo, W., 2003. An efficient signature scheme from bilinear pairings and its applications. Proceedings of PKC’04. Lecture Notes in Computer Science 2947, 277–290. Zhang, Z., Wong, D.S., Xu, J., Feng, D., 2006. Certificateless public-key signature: security model and efficient construction. Proceedings of ACNS’06. Lecture Notes in Computer Science 3989, 293–308.

Raylin Tso is an assistant professor of Computer Science at National Chengchi University, Taiwan. He received his PhD degree in Systems and Information Engineering from University of Tsukuba, Japan in 2006. His research interests are mainly in cryptography including secret sharing, key agreement, digital signatures, certificateless cryptosystems, etc. Recently, his research activities are focused on certificateless signatures and digital signatures that providing privacy protection.


Xinyi Huang received his PhD in Computer Science (Information Security) in 2009 from the School of Computer Science and Software Engineering, University of Wollongong, Australia. He is now with Fujian Normal University, China. His research interests focus on cryptography and its applications in information systems. He has published more than 50 referred research papers at international conferences and journals.

1417

Willy Susilo received a PhD in Computer Science from University of Wollongong, Australia. He is a Professor at the School of Computer Science and Software Engineering and the co-director of Centre for Computer and Information Security Research (CCISR) at the University of Wollongong. He is currently holding the prestigious ARC Future Fellow awarded by the Australian Research Council (ARC).His main research interests include cryptography and information security. His main contribution is in the area of digital signature schemes. He has served as a program committee member in dozens of international conferences. He has published numerous publications in the area of digital signature schemes and encryption schemes.